On June 4, 2021, the European Commission adopted two new sets of standard contractual clauses (SCCs): one for data transfers from data controllers to data processors and one for data transfers from data exporters to data importers in the United States and other third countries. These new clauses update and replace the SCCs adopted in 2001, 2004, and 2010 that many employers currently use to legally transfer human resources (HR) data for employees based in the European Union (EU).
After the political and constitutional upheaval of the last four years that has been Brexit, a trade deal—the EU-UK Trade and Cooperation Agreement—was finally reached between the United Kingdom (UK) and the European Union (EU) on December 24, 2020, just days before the deadline when the UK was set to crash out of all EU treaties.
On July 16, 2020, the Court of Justice of the European Union (CJEU) announced its judgment in the so-called Schrems II case (Case C-311/18), declaring that the EU-U.S. Privacy Shield is invalid because it does not provide an adequate level of protection for the transfer of personal data from the European Union (EU) to the United States.
An employer’s response to COVID-19 involves numerous privacy issues. Below are some answers to frequently asked questions (FAQs) about these issues within the United States and globally, based on laws such as the Americans with Disabilities Act (ADA) (which applies in the United States) and the European Union’s General Data Protection Regulation (GDPR). While many of these principles can be applied globally, employers should always look to applicable local laws in their jurisdictions and guidance from public health authorities. Employers should also consult any applicable internal policies, data privacy notices, employee collective bargaining agreements, employment contracts, and individual employment terms.
As coronavirus disease 2019 (COVID-19) continues to spread, employers have been trying to strike a balance between safety and privacy as they apply their own policies and attempt to follow laws such as the General Data Protection Regulation (GDPR) in the European Union and the Health Insurance Portability and Accountability Act of 1996 in the United States.
On January 31, 2020, the United Kingdom formally left the European Union after 47 years of membership. However, for a transitional period that will end on December 31, 2020, it will still be covered by all current agreements including membership in the European Single Market and European Union Customs Union and rights such as freedom of movement of workers throughout the EU.
The European Data Protection Board (EDPB) and EU supervisory authorities have reported that they have received a large number of complaints during the first six months following the effective date of the GDPR. For example, the EDPB reported that it had received more than 42,000 complaints since May 25, 2018. The French Supervisory Authority (CNIL) reported a 20 percent increase in complaints filed during the first six months the GDPR was effective compared to the same period in 2017. Similarly, the Irish Supervisory Authority reported a 50 percent increase in data breach reports and a 65 percent increase in data protection complaints over the same period. The Irish Data Protection Commissioner also stated that several investigations of multijurisdictional complaints against large companies are being completed and that she expects major GDPR fines to be issued in 2019.
Article 35 of the GDPR provides that a data protection impact assessment (DPIA) must be performed for data processing that “is likely to result in a high risk to the rights and freedoms of natural persons.” DPIAs must contain (1) a description of the processing operation along with the purpose of the processing and, where applicable, the legitimate interest for the processing; (2) an assessment of the necessity and proportionality of the processing operation in relation to the purpose; (3) an assessment of the risks to the rights and freedoms of the data subjects; and (4) the measures to be taken to mitigate the risks.
Although the GDPR was intended to provide a uniform set of data protection requirements across the EU, the GDPR contains several provisions, known as “opening clauses,” that expressly permit individual EU countries to implement additional and/or stricter requirements for certain types of data that employers typically process.
Much has happened since the European Union (EU) General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Many EU countries have enacted national legislation to implement and expand the requirements of the GDPR, while other developments have directly affected employers and created new obligations regarding the collection and processing of human resources (HR) data.
On April 19, 2018, the Article 29 Working Party (Working Party), which is comprised of representatives from the data protection authorities in each of the 28 European Union (EU) member states, issued a position paper stating that all employers of EU employees are required to prepare and maintain records of processing activities relating to human resources data pursuant to Article 30 of the General Data Protection Regulation (GDPR).
On March 27, 2018, Helen Dixon, the data protection commissioner for Ireland, outlined the enforcement priorities of the Irish data protection authority (DPA) for the General Data Protection Regulation (GDPR) during the International Association of Privacy Professionals Global Privacy Summit in Washington, D.C. The Irish DPA has been ramping up its compliance capabilities for the GDPR and will undoubtedly serve as the lead DPA for GDPR enforcement for numerous U.S. companies that are headquartered or have locations in Ireland.
With less than six months until the May 25, 2018, effective date for the European Union (EU) General Data Protection Regulation (GDPR), companies are assessing their GDPR readiness and concentrating their compliance efforts on the highest risk areas. What is the highest risk area for GDPR compliance?
On October 18, 2017, the European Commission published its report and supporting documents regarding its first annual review of the EU-U.S. Privacy Shield (Privacy Shield), which sets forth procedures and safeguards for transferring personal data from the European Union (EU) to the United States.
In a judgment that many commentators are calling the most significant in employment law in over 50 years, on July 25, 2017, the United Kingdom’s Supreme Court decided that the system whereby employees must pay fees to bring their claims in the UK employment tribunal should be scrapped.
On June 29, 2017, the Article 29 Working Party (the EU body representing the data protection authorities (DPA) of each EU member country) issued an updated opinion regarding the processing of personal data in the workplace. Recognizing that employers are rapidly adopting new information technology, the opinion updates the Working Party’s 2001 opinion regarding processing data in the employment context and 2002 opinion regarding the surveillance of electronic communications in the workplace.
How do you sum up what just happened in the United Kingdom’s parliamentary election?
On May 25, 2018, a short 12 months from now, employers must be in full compliance with the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) for EU human resources data.
As employers catch their breaths after an action-packed 2016, they need to gear up for another turbulent year for international data privacy issues in 2017. The top five international data privacy issues follow.
On January 11, 2017, the Swiss Federal Council and the U.S. International Trade Administration (ITA) announced that the Swiss-U.S. Privacy Shield will replace the U.S.-Swiss Safe Harbor Framework to permit U.S. businesses to transfer personal data from Switzerland to the U.S. in compliance with Swiss data protection laws. The validity of the U.S.-Swiss Safe Harbor Framework had been called into question ever since its European Union counterpart, the U.S.-EU Safe Harbor Framework, was invalidated by the European Court of Justice in October of 2015.
On July 12, 2016, the European Commission formally adopted the EU-U.S. Privacy Shield to replace the previously invalidated Safe Harbor Framework as an adequate method of transferring personal data from the European Economic Area to the United States. The U.S. Department of Commerce (DOC) will begin processing self-certification applications beginning August 1, 2016.
On June 24, 2016, the European Commission announced that it had reached a final agreement with the United States on the terms of the EU-U.S. Privacy Shield, which will permit U.S. companies to transfer the personal data of European Union (EU) citizens to the United States in compliance with EU data protection laws. The terms of the final agreement address several concerns raised by EU regulators about the initial Privacy Shield agreement reached in February of 2016, including concerns about the U.S. government’s ability to conduct mass surveillance of transferred data, the independence of the U.S. ombudsperson who will adjudicate complaints from EU citizens regarding misuse of their data, and the lack of protections regarding data retention and transfers to other companies.
The people of the United Kingdom have spoken on the issue of whether the United Kingdom should leave or remain in the European Union (EU), and by a narrow margin have decided to leave. In fact, by region, the voters of Scotland and Northern Ireland and a large majority in the country’s economic powerhouse, London, (and most major employers and financial organizations), clearly wished to remain in the EU but have been outvoted in the referendum by parts of England which have not prospered in recent years, and which perhaps never recovered from the 2008 recession.
On February 29, 2016, the European Commission (EC) and U.S. Department of Commerce (DOC) published a series of documents providing details for the implementation of the new EU-US Privacy Shield framework for the transfer of personal data from the European Union to the United States. Once it is formally adopted by the EC sometime this spring, this new framework will replace the Safe Harbor scheme that was invalidated by the European Court of Justice (ECJ) in October of 2015 in the Schrems decision.
On February 3, 2016, the Article 29 Working Party, the EU body representing the data protection authorities (DPA) of each EU member country, announced that all of the DPAs across the EU have agreed to extend the current moratorium on enforcement action regarding transatlantic data transfers until they have had time to scrutinize the EU-U.S. Privacy Shield data transfer program.
On February 2, 2016, in a meeting conducted in Brussels, the European Commission and the United States agreed on a new framework for transatlantic data flows. With all the negative connotations surrounding it, the name “Safe Harbour” has been dropped, and the new agreement will be called the “EU-US Privacy Shield.”
After four years of debate and a year of uncertainty over the future of data transfers from the European Union (EU) to the United States, this week has seen a historic move towards finalizing new legislation to govern data privacy and protection laws in Europe. On December 15, 2015, negotiators from the Council of the European Union, European Parliament, and European Commission agreed on the text of the long-awaited General Data Protection Regulation (GDPR), the biggest shake up of data privacy laws in 20 years. On December 17, 2015, this text was approved by the European Parliament’s Civil Liberties Committee. The final steps will be a vote in the Parliament as whole in the New Year, followed shortly thereafter, it is hoped, by the text’s formal adoption by the Council of Ministers, the representatives of the 28 countries in the European Union.
On October 6, 2015, the European Court of Justice (ECJ) issued its much-anticipated decision in Schrems v. Data Protection Commissioner, Case C-362/14 invalidating European Commission’s Decision 2000/520, which previously held that the Safe Harbor principles provided adequate protection for personal data transferred from the European Union (EU) to the United States. While the ECJ did not go as far as invalidating the U.S.-EU Safe Harbor Framework itself, it ruled that data protection authorities in each EU country were no longer bound by Decision 2000/520 and had the power to review the adequacy of the Safe Harbor principles under their national data protection laws. Further, the ECJ decision did not address the viability of other EU-approved methods of transferring personal data, such as standard contract clauses and binding corporate rules, but the rationale underpinning the ECJ’s decision, i.e., the ability of U.S. surveillance agencies to access personal data transferred from the EU, is equally applicable to a determination of whether other EU-approved data transfer methods provide adequate protection under EU data protection laws.
Citing the European Court of Justice’s (ECJ) October 6, 2015 decision in Schrems v. Data Protection Commissioner, which invalidated the EU Commission’s Safe Harbor decision, the Israeli Law, Information and Technology Authority (ILITA) announced, on October 19, 2015, that it was revoking its prior authorization of transfers of personal data from Israel to the United States based on the Safe Harbor Framework.
On October 14, 2015, the data protection commissioner from the German state of Schleswig-Holstein issued a position paper declaring that the use of model contract clauses by U.S. companies and European employees’ consent to transfer their personal data to the United States are invalid. This position paper, which comes on the heels of the European Court of Justice’s (ECJ) October 6 decision in Schrems v Data Protection Commissioner to invalidate the legal basis for the U.S.-EU Safe Harbor Framework, is based on the same rationale as this groundbreaking decision.